White Paper

Securing Social Media For Healthcare

The Threat: Social Media Disclosure Of Protected Healthcare Information

Social media sites—such as Facebook and Twitter—can be a tempting outlet for healthcare employees to discuss patient information that should be private. Consider these recent incidents reported in the media:

ER staff who posted photos of patients with unusual injuries.

A physician who discussed case details in a way that allowed the patient to be identified, even without revealing the patient’s name.

Employees who think it is okay to access and share the health information of friends, relatives, or celebrities.

These breaches of information security and patient privacy may or not be intentional, and they can be committed by an employee, a contractor, a temporary employee, or an external party. However, the repercussions to the organization of a protected healthcare information (PHI) disclosure are significant because these confidentiality breaches violate HIPAA rules about protecting patient privacy and ensuring workforce compliance. Repercussions may include:

Filing reports with the U.S. Department of Health and Human Services and state health agencies.

Incurring financial penalties for individuals up to $50,000 and for organizations up to $1.5 million.

Notifying not only the patient and family members affected, but also the local media, which can negatively impact the organization’s reputation and patient confidence.

Making expensive and time-consuming efforts to remediate the breach, identify the parties involved (and take disciplinary action if appropriate), and retrain staff on organizational policies and practices for social media.